asterisk users - Oct 2018 - AMI not listening on secondary IP address?

Hi.

I have three servers running corosync and pacemaker, to maintain a floating 
address between them.  This is working fine, and I can, for example, SSH to the 
floating address and get to whichever server has the address at the time.

I am trying to connect to the same server (using the same address) for AMI, 
and it just isn't working, even though I can connect to the primary address
of
the machine, and I have AMI configured to listen on all interfaces / addresses.

Here's my setup (I'm only talking about the single machine which owns
the
floating address at the moment here; the other two don't matter for this 
discussion):

# ip address list
(output abbreviated for clarity, and real IPs mildly obscured)

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
    link/ether fe:ff:00:00:8b:9c brd ff:ff:ff:ff:ff:ff
    inet 289.216.64.218/28 brd 289.216.64.223 scope global eth0
       valid_lft forever preferred_lft forever
    inet 289.216.64.221/28 brd 289.216.64.223 scope global secondary eth0
       valid_lft forever preferred_lft forever


# cat /etc/asterisk/manager.conf

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0


# netstat -lptn

Proto Local Address       Foreign Address       State       PID/Program name    
tcp   0.0.0.0:5038        0.0.0.0:*             LISTEN      29490/asterisk      


So, it all looks like Asterisk is listening on port 5038 for connections from 
anywhere, to any local address.

But (all the tests below are carried out *from* the same machine I'm trying
to
connect to, just to eliminate external networking problems as the cause, but 
if I do the same thing from a remote machine, I get the same results):

# telnet localhost 5038
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
Asterisk Call Manager/2.9.0


# telnet 289.216.64.218 5038
Trying 289.216.64.218...
Connected to 289.216.64.218.
Escape character is '^]'.
Asterisk Call Manager/2.9.0


# telnet 289.216.64.221 5038
Trying 289.216.64.221...
telnet: Unable to connect to remote host: Connection refused


No, it's not a firewall problem; I've currently allowed connections to
5038
from anywhere, in order to debug this problem.

Just to prove that the secondary address does work:

# ssh 289.216.64.221
The authenticity of host '289.216.64.221 (289.216.64.221)' can't be 
established.
ECDSA key fingerprint is SHA256:1R0SmFqRn5Jukh3GxvXq8/7bvsPq1MPvdGw6GXfUngs.
Are you sure you want to continue connecting (yes/no)?


Anyone got any ideas?


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

                                                   Please reply to the list;
                                                         please *don't* CC
me.

>>> No, it's not a firewall problem; I've currently allowed
connections to 5038
Antony,

Do you have any deny/permit section in the manager.conf that would need to be
adjusted?

Doug

On Tuesday 23 October 2018 at 12:51:56, Doug Lytle wrote:
> >>> No, it's not a firewall problem; I've currently
allowed connections to
> >>> 5038
> 
> Antony,
> 
> Do you have any deny/permit section in the manager.conf that would need to
> be adjusted?
No, and since I posted this, I've found the problem.

netstat -lptn shows me that Asterisk is listening on port 5038

What it doesn't tell me is that I have ipvs (ldirectord) listening on port 
5038 and forwarding connections on to back-end servers.

If I change Asterisk's manager.conf to listen on port 5039, I can connect to
every address I expect to.


Sorry for the unnecessary question about a rather complex setup...


Regards,


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it means it doesn't work.

                                                   Please reply to the list;
                                                         please *don't* CC
me.